darkcomet | db1b76a817d80a04dfe6236b050aad2e147374023b96d2fc2f5d76f500e8c8a5

General

Target

Satoshimines Bot v.1.5/Satoshimines Bot v.1.5.exe
Size

828KB
MD5

3cc0ae207c7597abbe76ba8d60465d00
SHA1

1117b9cc9ffeb6b1ae95c97c5dd00bf024d24749
SHA256

e2f3cafdafc0f70cdde815608b64021924b0f692b3eeeebaf21f43170d842697
SHA512

23ffddaad4e792e6968e84b96a44dccca3b761edc3d09c95d69da5fbfb046f3687368f70a6d606f2311676c9aa7861d38555ca5c6c9e619a85eea9e7352abdd5
SSDEEP

12288:/nugCZKX4u2O1jUQLl4xohDzKi/WwYvcBwg61ikvvA33cBU7keVZ:2gCQXFFLl44DWPcBwg6osvA3x7kAZ

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

lisa000.hopto.org:1606

Mutex

DC_MUTEX-Q6C5RK4

Attributes

gencode
f2TScExw93wd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Satoshimines Bot v.1.5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\z7WJ0VV41XJKVUuN\\XdeykwG4mqsG.exe\",explorer.exe"	Satoshimines Bot v.1.5.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1440-6-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-7-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-13-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-19-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-28-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-32-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1440-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Satoshimines Bot v.1.5.exe

description pid process target process

PID 1896 set thread context of 1440 1896 Satoshimines Bot v.1.5.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Satoshimines Bot v.1.5.exe

pid process

1896 Satoshimines Bot v.1.5.exe
1896 Satoshimines Bot v.1.5.exe

description	pid	process	target process
PID 1896 set thread context of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe

pid	process
1896	Satoshimines Bot v.1.5.exe
1896	Satoshimines Bot v.1.5.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Satoshimines Bot v.1.5.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1896	Satoshimines Bot v.1.5.exe
Token: SeDebugPrivilege	1896	Satoshimines Bot v.1.5.exe
Token: SeIncreaseQuotaPrivilege	1440	vbc.exe
Token: SeSecurityPrivilege	1440	vbc.exe
Token: SeTakeOwnershipPrivilege	1440	vbc.exe
Token: SeLoadDriverPrivilege	1440	vbc.exe
Token: SeSystemProfilePrivilege	1440	vbc.exe
Token: SeSystemtimePrivilege	1440	vbc.exe
Token: SeProfSingleProcessPrivilege	1440	vbc.exe
Token: SeIncBasePriorityPrivilege	1440	vbc.exe
Token: SeCreatePagefilePrivilege	1440	vbc.exe
Token: SeBackupPrivilege	1440	vbc.exe
Token: SeRestorePrivilege	1440	vbc.exe
Token: SeShutdownPrivilege	1440	vbc.exe
Token: SeDebugPrivilege	1440	vbc.exe
Token: SeSystemEnvironmentPrivilege	1440	vbc.exe
Token: SeChangeNotifyPrivilege	1440	vbc.exe
Token: SeRemoteShutdownPrivilege	1440	vbc.exe
Token: SeUndockPrivilege	1440	vbc.exe
Token: SeManageVolumePrivilege	1440	vbc.exe
Token: SeImpersonatePrivilege	1440	vbc.exe
Token: SeCreateGlobalPrivilege	1440	vbc.exe
Token: 33	1440	vbc.exe
Token: 34	1440	vbc.exe
Token: 35	1440	vbc.exe
Token: 36	1440	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1440 vbc.exe

pid	process
1440	vbc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Satoshimines Bot v.1.5.exe

description	pid	process	target process
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe
PID 1896 wrote to memory of 1440	1896	Satoshimines Bot v.1.5.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Satoshimines Bot v.1.5\Satoshimines Bot v.1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Satoshimines Bot v.1.5\Satoshimines Bot v.1.5.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
1⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-32-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-6-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-7-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1896-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-0-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/1896-2-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-17-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-16-0x0000000075132000-0x0000000075133000-memory.dmp

Filesize
4KB

Download
memory/1896-3-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1896-18-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads